Score:3

Disable intractive SSH depending on connection origin

th flag

Scenario: Same users can connect from two different network segments to a ssh host. But they should not be able to use interactive ssh session when connecting from one (it's actually long-distance tunnels), only chrooted sftp should be allowed.

How can it be achieved? Is this achievable by sshd's settings? Or by tcp wrapper (libwrap) + sshd?

Score:4
la flag

You can use the Match directive at the bottom of your sshd_config configuration file to override global settings based on, among others, the Address users connect from.

That allows you to set a plethora of specific settings differently for specific users/groups/clients.

# /etc/ssh/sshd_config
# ... 
# your current global config
#
# Enable the internal sftp server

Subsystem sftp internal-sftp

# ... 

# Override for users connecting from the 192.0.2.0/24 subnet
# They're only allowed to use sftp to their %h home directory

Match Address 192.0.2.0/24    
  ForceCommand internal-sftp 
  ChrootDirectory %h 

See this Q&A for background on the internal-sftp server.

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.